Implement a managed service identity (via AAD Pod Identity) based secret handling strategy

[WilliamMortlMicrosoft]

As a:

Developer

I want:

Bedrock to create a managed service identity (MSI), install aad pod identity, create a keyvault w/ the correct policy allowing the MSI to read secrets. Then configure the AKS cluster to mount the secrets as text files within the filesystem.

So that:

any application installed into the default namespace can read secrets from the pre-configured keyvault.

Describe the solution you'd like:

See above.

Describe alternatives you've considered:

Kubernetes secrets, clear text secrets in private Github repos.

Additional context:

Secret management is not addressed well by Bedrock.

Does this require updates to documentation?:

Yes, as well as examples of YAML files for GitOps that map to the correct MSI identity for applications.

[WilliamMortlMicrosoft]

I have instructions for how to setup an AKS cluster and Managed Service Identity (MSI) - and correspondingly how I got Helium to retrieve secrets fromt he KeyVault using the identity in this file: https://github.com/microsoft/helium/blob/AKS/docs/deploying-helium-aks-msi.md

The above may be helpful as it outlines how Bedrock should be enhanced @andrebriggs

Hope that helps! :-)

[jmspring]

@WilliamMortlMicrosoft - this particular item really consists of about three components:

• installation and configuration of KeyVault using MSI / podidentity
• examples on how to add secrets via TF to KV
• and, as you mentioned, example yaml files for gitops / msi mapping for apps

[WilliamMortlMicrosoft]

@jmspring agreed